A new U.S. Treasury report concluded that decentralized finance (DeFi) services are being used by bad actors to launder the proceeds of illegal activity, aided by crypto platforms weak or non-existent in anti-money laundering and sanctions compliance programs.

“The assessment finds that illicit actors, including ransomware cybercriminals, thieves, scammers, and [North Korea-based] cyber actors, are using DeFi services in the process of transferring and laundering their illicit proceeds,” said the report, issued Thursday.

Bad actors accomplish these illicit transfers by exploiting vulnerabilities in U.S. and foreign anti-money laundering/countering the financing of terrorism (AML/CFT) regulatory, supervisory, and enforcement regimes, as well as cybersecurity vulnerabilities that leave the platforms open to theft of digital assets, the report said.

While the Treasury said in a press release there is “no generally accepted definition of DeFi,” the term “DeFi services” is used in the report to refer to “providers of a variety of activities, including terms broadly used by industry to include a platform, exchange, application, organization, and others.”

The report found the illicit finance risk posed by DeFi services stems from the fact many are not compliant with existing U.S. AML/CFT obligations, even though DeFi platforms providing financial services in the United States are financial institutions subject to the Bank Secrecy Act (BSA).

Some DeFi services do not understand their AML/CFT obligations under the BSA, the report said, while others “may purposefully seek to decentralize a virtual asset service in an attempt to avoid triggering AML/CFT obligations” and have “developed with opaque organization structure” that “may present critical challenges to supervision.”

The report recommended the United States strengthen its supervision of AML/CFT regulations, consider additional guidance for the private sector on DeFi services’ AML/CFT obligations, and assess enhancement to address any AML/CFT regulatory gaps related to DeFi services.

The Treasury’s report on DeFi services was generated in response to an executive order issued by President Joe Biden in March 2022, which, among other directives, ordered federal regulators to “mitigate the illicit finance and national security risks posed by the illicit use of digital assets,” according to a White House fact sheet accompanying the order.

Despite the potential risks with DeFi services, the report noted “most money laundering, terrorist financing, and proliferation financing by volume and value of transactions occurs in fiat currency” or outside digital assets.